I think I've hit the trifecta of stuff that doesn't work. I've read quite a bit about getting SMB working properly on 10.7 but in the threads I've read, people are using Open Directory or local accounts and that doesn't apply to me. A little about my setup: I am running a 10.7.3 Lion Server bound to Active Directory. There are only several local admin users on the machine; everyone else authenticates against AD. AFP connections work fine, using both local and AD accounts. SMB connections work fine if you use a local account but any AD account is rejected as having the wrong password when connecting via SMB. I've tried using the ad\username trick (our AD server is named "ad") even though you're not supposed to need that with 10.7.2 and above... it doesn't help.
I have tried both a Windows 7 client and a 10.6 client, specifying SMB as the protocol in the Connect To Server dialog. Both fail, and they also take several minutes before reporting the bad password (the slowness in responding is yet another problem I've read as being an issue). Checking the kdc.log file on the server I see:
2012-02-09T09:54:22 digest-request netr: failed user=AD\\dlennie DC status code c000006d
2012-02-09T09:54:22 digest-request: netr failed with -1073741715 proto=ntlmv2
2012-02-09T09:54:22 digest-request: od failed with 2 proto=ntlmv2
2012-02-09T09:54:22 digest-request: user=AD\\dlennie
2012-02-09T09:54:22 digest-request: kdc failed with 36150275 proto=unknown
2012-02-09T09:54:22 digest-request: guest failed with 22 proto=ntlmv2
I am using the full DNS name for the server, and on my test clients there are no firewalls or other network issues that would prevent connection to the server.
Anyone have the magic bullet that cures all of this? We're mostly Macs here but the Windows users become a rather vocal group when something doesn't go their way. The confusing part to me is that AFP authenticates just fine and SMB doesn't.